Am I a data controller? GDPR for social media users explained

The UK GDPR and Data Protection Act 2018 have been hot topics for almost a decade, yet the intricacies around how personal data should be handled remain an area of confusion for most. 

These regulations do more than make it easy to unsubscribe from mailing lists and decline cookies. They add protection for your personal information and create important provisions that any user of online platforms like social media sites — where you may be discussing other people — should be aware of.

Here, Rory Leventhorpe from our reputation management team explores the legal ramifications of the GDPR on individuals, who — alongside businesses — can be data controllers too.

Demystifying GDPR

The General Data Protection Regulation (GDPR) was introduced in the UK on 25 May 2018. Post-Brexit, this became the UK GDPR from 1 January 2021, maintaining the same principles. When it came into force, news outlets reported that it was ‘difficult and confusing’ to understand and focused heavily on the protection that the regulations would bring to individuals against businesses using their personal data.

This has created a situation where very few people are aware of both their rights and obligations under the UK GDPR and Data Protection Act 2018. 

The UK GDPR governs the “automated or structured processing of personal data”. Article 4(2) of the UK GDPR defines the scope of processing to include “any operation or set of operations which is performed on personal data”. The definition is broad and narrow in its definition to include specific examples, including the “dissemination or otherwise making available” of information. This provision acts as a ‘catch all’ and means that making personal information public in any capacity constitutes ‘processing’.

However, the regulations do not just apply to anyone. Instead, they only apply to those who are defined as ‘data controllers’. 

Who is a data controller?

Article 4(7) of the UK GDPR states that ‘controller’ means the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

So, while many may see the UK GDPR as solely applying to businesses, it is possible for individuals to be caught under it as a “data controller”. 

There is, however, an exemption for “purely personal and household activities” under Article(2)(2)(a) of the UK GDPR. This means that information such as creating family photo albums and emailing friends do not fall into the regulations. 

Yet this exemption does not extend to those distributing data in a capacity outside of a ‘purely’ personal means. In the High Court case of Harrison v Cameron [2024] EWHC 1377 (KB), Judge Steyn considered this exemption in light of previous case law. In this case the defendant, Mr Cameron, had recorded two telephone calls with the claimant, Mr Harrison. Mr Cameron alleged that during these calls Mr Harrison had made demands and threats against him. Mr Cameron shared the recordings with third parties, including family and friends. He then refused to answer a Subject Access Request made by Mr Harrison which sought information as to who the recordings had been shared with — leading to Mr Harrison issuing court proceedings and asserting that Mr Cameron was a Data Controller under UK GDPR. 

Mr Harrison’s claim was dismissed on the basis that Mr Cameron was acting merely as an agent of the second defendant (a company of which Mr Cameron was a director) and therefore if the second defendant was the data controller, Mr Cameron could not be too. 

More pertinently, the Judgment emphasised the word ‘purely’ in “purely personal” and considered that this exception to the rule should be construed narrowly. In other words, any processing which could be seen as being outside of the purely personal is unlikely to be included in the exemption.

Social media influencers as data processors

Those who use social media as a business enterprise — including those who receive income through advertising via their platform — are likely to be seen as operating in their capacity as a business and therefore fall outside of the scope of ‘purely personal’.

These individuals therefore become data controllers under the UK GDPR and should ‘process’ any personal information of others in-line with the regulations. This includes sharing the personal information of others that is not already public via social media stories, posts and comments. 

What data is covered?

The UK GDPR covers personal and special category information only. It does not extend to any and all information. However, the regulations do cover a wide variety of topics that many may not realise are protected. 

Personal data is defined under Article 4(1) of the regulations. It includes any information relating to an identified or identifiable natural person. This is a purposefully broad definition and includes online identifiers such as social media handles, physical attributes or other characteristics that could point to the identity of the individual.  

Personal data

If personal data is being ‘processed’, the UK GDPR has strict requirements of how this data should be used.The ‘data controller’ is under a duty pursuant to Article 5 GDPR to comply with (and show how they comply with) their obligation to process personal data in accordance with the six data protection principals in Article 5(1) GDPR.

The principles lay out the way in which data should be processed. Importantly, the data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. It should also be limited to what is necessary in relation to the purposes for which they are processed.

Therefore, when discussing the personal information of those on an internet platform, the data controller should be questioning whether there is a legitimate reason why this information is being shared. 

Special category data

Further regulations govern ‘special category’ data. This is defined in Article 9 of the regulations and includes information “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited”.

Article 9(2) of GDPR explicitly prohibits the processing of any special category data unless a specific condition is met. Such conditions include when the individual has given their consent or the information was already made public by the individual. The rest of the conditions are more fact-specific depending on the situation. 

So, by discussing any of the matters defined as ‘special category’ data without the express permission of the individual, you could unknowingly be breaching their rights under UK GDPR.

Why does this matter to me? 

If you are on social media or any internet platform which has a public following and you discuss information about others, you should be following the regulations. It is possible that by discussing others private lives you are unknowingly breaching their rights under the UK GDPR and processing their information in a way which is against the regulations. 

To give an example, if you are a social media influencer and you post private information about somebody’s health without their permission to your Instagram story, this is likely to be a breach of UK GDPR. Such a breach could lead to a claim against you from the individual whose data you’ve unfairly processed. The UK GDPR and Data Protection Act 2018 allow for individuals to claim compensation against those who have unfairly processed their data and for fines to be imposed.

It is therefore crucial that before you utilise your online platform to discuss others, you question whether you could be infringing on their rights under UK GDPR.

Talk to us

If you need help understanding your rights and obligations under data protection regulations like the UK GDPR, we are here to help. Our reputation management experts work with many influencers, content creators, brands, agencies and others to ensure that they stay compliant and minimise the risks of being active online.

If you need our advice, call us now on 0333 004 4488, send us an email at hello@brabners.com or send us a message.

Disclaimer: This article acts as a brief and accessible overview of core principles relating to the UK GDPR and does not cover the in-depth details of the regulations.